Im soon having another connection with static IP (from university) which has daily restrictions about the amount of transferred data. I also have this DSL connection with DHCP. I started to think that i would like to route/redirect some bandwidth eating ports from lan computers to use DSL. This also offers me a chance to "learn" some PF more. I planned that my DSL ext would be BFE0 and the STATIC one would be DC0.

oh and the ports i want to put through DSL are all the ports i have defined for LAN machines below.

edit: (coming to think of it second scenario would be that all other traffic goes thru DSL except http and port 28960 from LAN. Actually this is much straightforward too.)

I know its annoying if someone asks ready configuration/examples, but it would be very nice. Im not the type who just puts it to use and enjoys. I really like to know how the thing works before i put it into use. So i read the conf over and over again till i get it.

ofc any other help/hints conserning that conf are welcome. thank you very much for your time.

I only have one single internet connection to play with, not two, so I cannot give you any practical advice.

RE: ext_gw

From that section of the pf user guide:

Quote:

One additional piece of information that's needed to do this is the IP address of the adjacent router on each Internet connection. This is fed to the route-to option to control the destination of outgoing packets.

What am i missing. I also tested to connect via port 28960 udp from my lan and pftop showed that its going out on right if. above i got when tried to open page with browser, which timed out after a while. atleast box can connect because my dnsmasq can provide dns information to LAN computers.

Last edited by Calderon; 17th September 2008 at 06:06 AM.
Reason: additional information

Now i have 2 "external" nic's. I want sshd to listen on bfe0 port 22 and rl0 on port 8081 (university line has only this port open for remote cons). I have sshd configured for that and i think it´s fine.

Here´s the ruleset. I think the Bold one most relevant.

Code:

bsdkone# pfctl -s rules
scrub in all no-df fragment reassemble
block return log all
block return in quick on bfe0 proto tcp from <sshguard> to any port = ssh label "ssh bruteforce"
block drop in on ! lo0 inet6 from ::1 to any
block drop in on ! lo0 inet from 127.0.0.0/8 to any
anchor "ftp-proxy/*" all
pass out proto ipv6 all keep state
pass in proto ipv6 all keep state
pass out on xl0 inet from any to 192.168.133.0/24 flags S/SA keep state
pass out on xl0 inet6 from any to 2001:14b8:125::/64 flags S/SA keep state
pass in quick on xl0 inet from 192.168.133.0/24 to 192.168.133.1 flags S/SA keep state
pass in quick on xl0 inet6 from 2001:14b8:125::/64 to fe80::250:4ff:feaf:97b0 flags S/SA keep state
pass in quick on xl0 inet6 from 2001:14b8:125::/64 to 2001:14b8:125::10 flags S/SA keep state
pass in quick on xl0 route-to (rl0 94.237.80.1) inet proto udp from 192.168.133.0/24 port = 28960 to ! 88.192.186.40 keep state
pass in on xl0 route-to (bfe0 84.249.128.1) inet proto tcp from 192.168.133.0/24 to any flags S/SA modulate state
pass in on xl0 route-to (bfe0 84.249.128.1) inet proto udp from 192.168.133.0/24 to any keep state
pass in on xl0 route-to (bfe0 84.249.128.1) inet proto icmp from 192.168.133.0/24 to any keep state
pass out on bfe0 proto tcp all flags S/SA keep state
pass out on bfe0 proto udp all keep state
pass out on bfe0 proto icmp all keep state
pass out on rl0 proto tcp all flags S/SA keep state
pass out on rl0 proto udp all keep state
pass out on rl0 proto icmp all keep state
pass out on bfe0 route-to (rl0 94.237.80.1) inet from 94.237.82.251 to any flags S/SA keep state
pass out on rl0 route-to (bfe0 84.249.128.1) inet from 88.192.186.40 to any flags S/SA keep state
pass quick on xl0 all flags S/SA keep state
pass in on rl0 inet proto tcp from any to (rl0) port = 8081 flags S/SA keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = http flags S/SA keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = ssh flags S/SA keep state
pass in quick on bfe0 inet proto udp from any to (bfe0) port = 28960 keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = 28960 flags S/SA keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = smtp flags S/SA keep state

set state-policy
The state-policy option sets the default behaviour for states:
if-bound States are bound to interface.
floating States can match packets on any interfaces (the
default).
For example:
set state-policy if-bound

reply-to
The reply-to option is similar to route-to, but routes packets that
pass in the opposite direction (replies) to the specified inter-
face. Opposite direction is only defined in the context of a state
entry, and reply-to is useful only in rules that create state. It
can be used on systems with multiple external connections to route
all outgoing packets of a connection through the interface the
incoming connection arrived through (symmetric routing enforce-
ment).

Tried if-bound and still no connection, answering packets on bfe0 dissappeared though. Is my rule in wrong place or something.

No, it shows you that the return packets 'cling' to the interface they were received on (because they're only allowed to create state there). They simply won't go out now because they have no routing (the default route which they used to go to is on the interface they're now not allowed to use).

What reply-to does is basically two things:

reply-to ( $nic $gw )

1. provide the physical way out -> nic
2. provide the necessary routing for that action -> gateway

pass in quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to ($ext_if2) port 8081 keep state (floating)

This line alone pretty much did it. I had if-bound on still and this didnt work with it so... More problems when i didn't notice that there was some DHCP problem on ISP end and my IP was changed (Has been the same for since i got it) and stuff like that.

Anyway a nice lesson again how things work for me, the harder it is the better you remember :-)